On Mon, Apr 18, 2016 at 01:07:40PM +0200, Hubert Kario wrote: > On Monday 18 April 2016 02:46:19 H. Peter Anvin wrote: > > Another thing that really needs to be addressed, but is a separate > > issue: invalidating and reseeding the entropy pool after a snapshot > > event. > > definitely agreed > > though just reseeding would be sufficient - the goal is to make the > output unpredictable and unique between multiple machines starting from > the same snapshot, feeding enough random data to make the entropy pool > unique again is sufficient to achieve that If you're spawning multiple machines from the same base snapshot, the seeding of RNG is just one of many many things that need dealing with. eg new /etc/machine-id, new ssh host keys, changing MAC address of NICs with corresponding guest config file changes, many other application specific identifiers / keys intended to be unique per machine. As such, libvirt explicitly tries to prevent you spawning multiple machines from the same snapshot. That all said, Microsoft HyperV has defined a concept of a "Virtual Machine Generation ID" and specified various hypervisor operations which should result in this value changing[1]. For example restoring from a snapshot should always change the genid, as would restoring from backup, or cloned from another image, or failed over during disaster recovery. This vm genid is exposed to the guest via ACPI and there's an notification whenever it changes. There are patches for QEMU[2] to support this feature in a manner that is compatible with the hyperv spec, but they are sadly still not merged :-( So it would be possible for the Linux kernel to re-initialize its RNG after snapshot by hooking into the vm-genid ACPI notification. Regards, Daniel [1] https://lists.nongnu.org/archive/html/qemu-devel/2014-10/msg00489.html [2] https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05599.html -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list